Administrator Guide
authorization exec ucraaa
accounting commands role netadmin ucraaa
line vty 8
login authentication ucraaa
authorization exec ucraaa
accounting commands role netadmin ucraaa
line vty 9
login authentication ucraaa
authorization exec ucraaa
accounting commands role netadmin ucraaa
!
Configuring TACACS+ and RADIUS VSA Attributes for RBAC
For RBAC and privilege levels, the Dell EMC Networking OS RADIUS and TACACS+ implementation supports two vendor-
specific options: privilege level and roles. The Dell EMC Networking vendor-ID is 6027 and the supported option has attribute of
type string, which is titled “Force10-avpair”. The value is a string in the following format:
protocol : attribute sep value
“attribute” and “value” are an attribute-value (AV) pair defined in the Dell EMC Networking OS TACACS+ specification, and
“sep” is “=”. These attributes allow the full set of features available for TACACS+ authorization and are authorized with the
same attributes for RADIUS.
Example for Configuring a VSA Attribute for a Privilege Level 15
The following example configures an AV pair which allows a user to login from a network access server with a privilege level of
15, to have access to EXEC commands.
The format to create a Dell EMC Networking AV pair for privilege level is shell:priv-lvl=<number> where number is a
value between 0 and 15.
Force10-avpair= ”shell:priv-lvl=15“
Example for Creating a AVP Pair for System Defined or User-Defined Role
The following section shows you how to create an AV pair to allow a user to login from a network access server to have access
to commands based on the user’s role. The format to create an AV pair for a user role is Force10-
avpair= ”shell:role=<user-role>“ where user-role is a user defined or system-defined role.
In the following example, you create an AV pair for a system-defined role, sysadmin.
Force10-avpair= "shell:role=sysadmin"
In the following example, you create an AV pair for a user-defined role. You must also define a role, using the userrole
myrole inherit command on the switch to associate it with this AV pair.
Force10-avpair= ”shell:role=myrole“
The string, “myrole”, is associated with a TACACS+ user group. The user IDs are associated with the user group.
Role Accounting
This section describes how to configure role accounting and how to display active sessions for roles.
This sections consists of the following topics:
● Configuring AAA Accounting for Roles
● Applying an Accounting Method to a Role
● Displaying Active Accounting Sessions for Roles
740
Security